Preface
Saturday night the Ubuntu Utah Team had a great presentation on Privacy and Encryption. One very important topic and another very interesting topic. With as much is going on these days to screw with our privacy (NSA) it isn’t a bad idea to learn a little bit about encryption. Now, I know you may think that you aren’t doing anything private so what is the point? I’m not doing anything “private” either, but honestly if I really wanted to talk to the NSA I’d send my emails directly to them. I’m not doing things that *needs* to be hidden, it’s simply a matter of it not being any of their business.
I have for some time now been digitally signing my emails. If you’ve seen me pop-up on a mailing list or got any emails from me you’ve probably seen a digital signature in-line or as an attachment. Via this digital signature you can verify that the exact contents of the email into your box is the same contents that came out of mine. If even *one* character changed the signature would not validate and you could tell the email or signature had been tampered with.
I have also started signing and *encrypting* emails to others that also have a PGP key pair that I have personally trust-signed. We’ll get into the trust signing later but I wanted to share a few steps and some other references to how you can generate your own key and also be able to sign and / or encrypt emails or files.
The GUI Front-End
There are a number of tools to help you generate and manage your PGP keys. I suggest seahorse on gnome or kgpg on KDE. You can also use the command line equivalent on either system, which will be standard between the two. (note: there are also solutions for OS X and Windows, but I won’t get into those.)
First we’ll install the GUI front-end to go with the pre-installed GnuPG back-end.
sudo aptitude install seahorse (gnome)
or
sudo aptitude install gpa (gnome)
or
sudo aptitude install kgpg (kde)
Creating The Key
Now that we have one of these installed we’ll launch the front-end and start creating a key. In this example I’ll refer to seahorse but the steps should fairly easily transfer to the other two applications.
Applications > Accessories > Passwords and Encryption Keys
Select “Key” from the File Menu and “Create New Key (ctrl-N)”
This will prompt you with a selection between PGP and SSH. In this case we’ll want PGP.
The next window will prompt you for your full name, email address and comment. It is generally recommended to use your full legal name (not nicknames or aliases) and your primary valid email address. I suggest leaving the comment section empty.
You may want to select the “Advanced key options” button and set a higher key strength. The default type DSA Elgamal of 2048 is a very powerful key strength but it does support up to 4096 as well. Personally I chose the 4096 but, again, the default 2048 is plenty powerful in itself.
You can also optionally select a date that this key will expire. Unless you know a reason why you’d want to do that (sometimes for temporary project-based keys, etc) you can safely set it to not-expire.
When you hit “Create” it will ask you for a passphrase to bind to this key pair. Choose a good, solid, more-than-a-dozen character passphrase to make this even more solid. Your digital signature and key are only as strong as its weakest link which is the passphrase. If someone gets a hold of your passphrase they can make use of your private key, un-encrypt emails sent to you or appear to be you! Once you have entered the passphrase it will generate your key pair. Remember this passphrase because, without it, the key pair is useless!
Depending on the key strength and the speed of your machine this may take a while. You should see a progress bar on the screen while it processes a new key. Just be patient.
You now have a basic key that is capable of digitally signing and optionally encrypting emails or files. One great use of this is to digitally sign the Ubuntu Code of Conduct as outlined here.
Using the Key
For those of you that want to get started right away signing emails you may be interested in some of the extensions available for commonly used mail applications. Thunderbird has a great one (actually the #1 reason I use Thunderbird as my client) with Enigmail. You can find it on the mozilla addons site or via the ubuntu repositories.
Evolution has PGP support built in but it is not as flexible (or at least I haven’t figured it out). You can find this in the Privacy tab of your email box settings.
Now this tutorial is getting a bit long so I’ll have to expand this next time and explain expanding your key with your alternate email addresses, keysigning parties, etc.
Until then I hope this helped a little bit.
UPDATE: screenshots of the key creation here [1,2,3,4]
Two major things to remember before you run off and start playing around. Remember your passphrase and back up your private key!!
Your public and private keys are found in ~/.gnupg/ . I suggest backing up this entire folder to an external USB. If you lose your private key the whole pair is useless. Even if you still have the public key and the passphrase the private key section is the most critical part of the process.
This is a great subject and a great tutorial.
I want to make a comment about the reasons for signing and encrypting email and files: it’s simply good practice.
Everyone should migrate to email signing and encryption, and the reasons are more mundane than most folks acknowledge. I’m not worried about the NSA reading my email; I’m not grandiose enough to think the NSA cares about me or my email. I’m more worried about run-of-the-mill spam, identity theft, and credit card fraud. In the workplace, confidentiality of employee information, communications among executives and other supervisors, reprimands, payroll information, etc., are all solid reasons to implement signing and encryption.
Thanks for your tutorial.
Happy Trails,
Loye Young
Isaac & Young Computer Company
Laredo, Texas
http://www.iycc.biz
Just remember that if you lose your USB key backup your keys should be considered compromised, revoked and new ones generated.
There’s a pretty thorough article at https://help.ubuntu.com/community/GnuPrivacyGuardHowto if anyone wants to find out more.
GnuPG is by far the best openPGP implementation. Although the GUI interface looks a bit crapy, it works like a charm.
I have realized many project with GNUPG and can recommend it to everybody. There is no need to buy PGP.
As you so rightly pointed out, the entire point is to stop eavesdropping on your emails. So why is it that Enigmail encrypts the email on the disk too?
I’m just waiting for Enigmail to introduce the functionality to NOT encrypt the email when it saves it to your ‘sent’ folder as well.
You know, I would think this was a pretty darn trivial thing to implement, but I’ve been directed to the roadmap every time I’ve asked the developers of Enigmail, and told that this functionality is planned for version 1.1
I’ve been waiting for this functionality for 7 years now. So I am less than impressed with this plugin.
Much less.
—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
For Firefox users, there’s FireGPG – integrates pretty well, with special support for Gmail built in.
Cheers,
Frode
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: http://firegpg.tuxfamily.org
iD8DBQFGw7r7r6IvDyc73qkRAikrAJ9j5ciLHrW0NVGOZnfxEdrJ1S0S8gCfd+iF
6wkkhA03Tw50xGra9bf7lGI=
=pXfV
—–END PGP SIGNATURE—–
But it looks like the comments on this site are processed in some way, making my signature break..
For Gutsy, Kmail/Kontact will come configured to work with gnupg by default. All you should have to do is tell it which key to use.
Why go through all this trouble generating a key. We do this entirely automatically and is transparent to the users. Try SuiteBeams..let me know what you think
Ronald Whiting
http://www.suitebeams.com
[email protected]
@Ronald Whiting
Why go through all this trouble? Well because GPG/PGP is free, unlike your “SuiteBeams” service.
Pingback: 7 Steps To An Encrypted Partition (local or removable disk) : Ubuntu Tutorials : Breezy - Dapper - Edgy - Feisty
Pingback: Christer Edwards: 7 Steps To An Encrypted Partition (local or removable disk) // The Linux Index
http://www.suitebeams.com
“By contrast, ‘Beams’ can’t be corrupted nor cracked.”
SNAKEOIL ALERT!
The site proudly claims “1024 [bit] Public Key Encryption”
but Wikipedia (click in “key size” from the “public key” link provided on their homepage) states:
“For example, the security available with a 1024-bit key using asymmetric RSA is considered approximately equal in security to an 80-bit key in a symmetric algorithm”
Wow… 80 bit encryption…. I’m getting nostalgic just thinking about it.
also:
“TriCycleID” oh yeah… the secret question. PLEASE NO!!
“iQue” ever heard of shoulder surfing?
“Chroncrete” wow, they have re-invented exponential backoff!
This is a great article. Thanks for posting it! One thing that you might want to make a bit more explicit is that the passphrase, unlike a passcode, is meant to be just that, a multi-word phrase, not just a simple password. I would also recommend generating a revocation certificate when you generate the key, so that you can at least revoke the key if you lose the passphrase.
On the topic of integrating GnuPG with your email, I did some research on the issue and posted an article that might be helpful: http://www.napoletano.net/front/node/352
It’s hard to make anything secure, or safe
But not hard to make them safer than current
Sadly, none my usually email contacts care about email (Lot have that I got nothing to hide mentality). I’ve nothing to hide either but I’m it’s still none their business type.
Now with Portable Apps Thunderbird, It easy to make a truecrypt file container the size of a cd or dvd. and Install Thunderbird with enigma and gpg. Firefox with Firegpg. and Portable Gaim with Gaim-encryption plug in. To futher wrap up logs and email on My computer in an encrypted layer, but that still leave security gaps on server till I can talk other folks into using mail and streaming encryption.
Why all the Trouble? Cause I use a laptop, so in event I protected the folks that not even cared for protecting them selves (in closet pagans) etc
Lover of Lycra
=======================================
http://spandex31095.tripod.com/
Skype: Werewolf6851
===== Instant Messenger Accounts ======
Yahoo: lover_of_lycra
ICQ: 304325894
MSN: [email protected]
AIM: LycraloverWolf
=======================================
GPG key 76E6C1BC with following fingerprint
D508 2C9D B3A9 2F0E E472 95A8 2D8C B9E6 76E6 C1BC
=======================================